I know IP address on my attacking machine is 192.168.238.137, and I know the subnet mask is 255.255.255.0. In CIDR notation, this means the subnet is /24. This tells me which part of my IP address is the network prefix (192.168.238), and which part is the host number (.137).

We can list out all the IP addresses in this range by using a list scan (-sP). This scan sends no packets to listed IP addresses, but it will attempt a reverse DNS resolution on each host.

# nmap -sL 192.168.238.0/24

Since there are 256 addresses outputted by this command, I will not paste them here.

Let’s explore other machines with ping sweep. This scan does not scan any ports, but only reports on which hosts are up by pinging them. Older versions of nmap us -sP. Newer versions will use -sn

I know the 192.168.238.2 addresses is my default gateway, and 192.168.238.136 is my local machine. What are those other three addresses? One of them is the Metasploitable machine. I’m not sure what the other two are.

The ping scan will ping the host, send a TCP SYN, a TCP ACK, and request an ICMP timestamp. If any of these requests receive a response, we know the host is alive. If there was a firewall or other device blocking these requests, the ping scan might show that no host is up at an IP address, and you will need to use a different method of host discovery. The -Pn scan will attempt a port scan on every IP address in the given range. We’ll speed it up with the -F flag to only scan 100 ports.

TCP SYN pings initiate the first step in the TCP handshake on a given port. If the host responds with TCP ACK, we know the host is alive, and we close the handshake with a RST packet.

TCP ACK pings send the ACK to a host, making the host think a handshake was initiated. Since the host knows it didn’t send a SYN, it will respond with a RST packet to stop the handshake, letting us know the host is alive.

UDP pings send a UDP packet to a certain port. It receives an ICMP port unreachable packet if the port is closed, but that lets us know the host is alive.

I will set up an IDS in the Kali machine to monitor traffic across the network. I will then perform different stages of an attack and monitor which attacks alert the IDS. We will look at both stealthy attacks and loud smash-and-grab attacks.

Now when looking at the passwords, I notice that they all start with the marker “$2a$12$”.

This is Linux /etc/shadow notation. Linux keep the passwords in the /etc/shadow file. This file is readable only to root accounts. It contains the password hashes of all users. We call “shadow” because it is a shadow file of the /etc/passwd file. /etc/passwd is world readable, so we obviously don’t want to store our password hashes in this file. When we shadow the password file, /etc/passwd will only store an “x” for the password.

Back to the marker “$2a$12$” in the database. I know that the passwords were hashed with the Blowfish algorithm. The bcrypt algorithm implements Blowfish, so I’m that was the algorithm the website used to hash password. The $12$ means a cost factor of 12, or 12 rounds of bcrypt.

bcrypt, along with scrypt and PBKDF2 are a family of algorithms for hashing passwords. They are all considered “slow” for a computer to perform in relation to other algorithms like MD5 or SHA, so that if a database is compromised and the hashes revealed to an outsider, any brute force or dictionary attacks will be handicapped.

“Bcrypt happens to heavily rely on accesses to a table which is constantly altered throughout the algorithm execution. This is very fast on a PC, much less so on a GPU, where memory is shared and all cores compete for control of the internal memory bus.”

With that being said, it is unlikely I will be able to crack any passwords from this database.

Another thing I noticed was the repeated password of “111111Iwillneverdoitagain”. I would assume that this is how the website disabled accounts, since it would be extremely difficult to find a string whose hash equals “111111Iwillneverdoitagain”.

And now MySQL will import the database.
Note: Do not use the MySQL source command to import large databases. Source is designed to run a small number of SQL queries, and will take a long time to import a large database.